If I understand the situation correctly, SpongyCastle is a renaming of BouncyCastle and it was created to give people the ability to include a new version of BouncyCastle on Android, since just including the latest BouncyCastle jar would cause conflicts with the old and stripped down version of BouncyCastle that came with Android.
However, apparently since version 3.0 (in 2011 - 6 years ago!) the Android BouncyCastle package was renamed to com.android.org.bouncycastle
, so that now if you included the regular org.bouncycastle
, this would no longer conflict with the pre-packaged stripped down BouncyCastle, and you could use the newest version that way.
What confuses me is that it seems like the SpongyCastle project is still quite active and whenever I search for "BouncyCastle on Android" or anything related, I get a lot of results from the last couple of years which recommend using SpongyCastle, citing the class conflict issues as the reasoning, even though they were (apparently) resolved all the way back in 2011. Another argument I've seen that makes more sense to me, is that SpongyCastle is more backwards compatible, since you won't get any issues on devices running earlier versions Android than 3.0.
So my question is, are there still any benefits to using SpongyCastle over BouncyCastle, if you are not targeting earlier versions of Android than 3.0?
Bouncy Castle is a Java implementation of cryptographic algorithms. AppBrain analyzes Android apps and games on Google Play and finds the apps that contain Spongy Castle - Bouncy Castle for Android. We provide free statistics on which apps and games are using these libraries, and a full list of apps can be purchased for a small fee.
On the other hand if you want to write code that takes advantage of Bouncy Castle via the security provider then you should first replace the built-in Android Bouncy Castle security provider with the standard one since Java does not allow two security providers with the same name. This should be done as early as possible during application startup:
If you are using gradle you can run the dependencies command to show all dependencies and see if Bouncy Castle is being included in multiple forms: docs.gradle.org/current/userguide/… Or better still use SpongyCastle since the BC shipped with Android is both crippled and old. Is this still true? Can you be more specific than "old"?
The first step is to include the necessary libraries in your gradle file. You can get standard Bouncy Castle from maven, no need to download and check-in the JARs into your project. When building with gradle add the following to your dependencies section in your gradle project file:
Here's what the author of Spongy Castle wrote on this:
Why might Spongy Castle not be obsolete?
- pre-Android 3.0 devices are still in active use. There are higher areas of use in poorer countries, and those people still need secure cryptography. Signal (not a SC user, so far as I'm aware) currently still supports Android 2.3 and up.
- even on post-Android 3.0 devices, device manufacturers are not above carelessly bundling libraries, it's possible that Bouncy Castle may still be bundled on some obscure devices.
- Although the version of Bouncy Castle bundled with Android has a changed package name, it still has "BC" as the provider name, leaving some ambiguity as to the choice of implementation when adding your own copy of Bouncy Castle to the app and choosing "BC" as your provider.
But he then he went on to note that Spongy Castle releases often lag behind the Bouncy Castle releases ... for reasons which are entirely understandable.
In short, for an Android device the only possible benefits in using Spongy Castle would appear to be to deal with cases where your application needs a recent Bouncy Castle functionality, but device manufacturers have bundled an old version.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With